Security news that informs and inspires

Bug in CrowdStrike Falcon Allows Removal of Security Agent

UPDATE--Researchers have identified a vulnerability in CrowdStrike’s Falcon cloud-based endpoint protection system that enables a privileged user to bypass an important feature and uninstall the Falcon agent from any machine.

The bug affects at least two versions of the Falcon agent, versions 6.31.14505.0 and 6.42.15610, and an attacker who can successfully exploit it would be able to remove the Falcon anti-malware and EDR agent from a target computer. In order to exploit the flaw, however, an attacker would first need to have administrator privileges on the machine, which is a significant hurdle, but not an impossible one to clear. There is a thriving underground market for valid user and admin credentials and cybercrime groups and ransomware gangs often purchase access to corporate networks from initial access brokers who steal or buy credentials.

“The sensor can be configured with a uninstall protection. It prevents the uninstallation of CrowdStrike Falcon sensor on the end-device without a one-time generated token,” the advisory from researchers at modzero says.

“Exploiting this vulnerability allows an attacker with administrative privileges to bypass the token check on Windows end-devices and to uninstall the sensor from the device without proper authorization, effectively removing the device's EDR and AV protection.”

Researchers at modzero, a Swiss research and services group, discovered the vulnerability and notified CrowdStrike in June. CrowdStrike asked the researchers to report it through the company’s HackerOne bug bounty program and sign a non-disclosure agreement. The researchers declined both requirements, and after several months of back-and-forth discussions in which CrowdStrike told the researchers that the issue was not considered a valid security concern, modzero published the details of the flaw and a proof-of-concept exploit for it on Monday. The researchers initially tested one specific version of Falcon, but later in the process were able to get access to a newer version and found that the initial exploit they sent to CrowdStrike was flagged as malicious behavior and other countermeasures to the exploit had been included.

“As the issue was not considered valid, we informed CrowdStrike that we would release the advisory to the public. In response, CrowdStrike tried again to set up a bug bounty disclosure meeting between ‘modzero's Sr Leadership’ and CrowdStrike CISO "[...] to discuss next steps related to the bug bounty disclosure" in contrast to our previously stated disclosure rules,” a blog post by modzero says.

“Sometime later, we were able to acquire an updated version of the sensor and discovered that parts of the formerly provided exploit code and a specific msiexec call, are now flagged as malicious behaviour by the sensor. This leads us to conclude that CrowdStrike tried to "fix" the issue, while being told the issue didn't exist. Which is pretty disrespectful to us. We were able to circumvent the countermeasures introduced silently by CrowdStrike. With small changes to the exploit, it is now working again (tested with version 6.42.15610 of the CrowdStrike Falcon software).”

CrowdStrike said in an email statement that the issue is with the Microsoft MSI implementation.

“We want to set the record straight on how this situation transpired. As both parties have stated, we engaged with modzero immediately upon receipt of them reporting the issue on June 29. As modzero has indicated, the issue reported is with Microsoft’s MSI implementation and requires local access and admin privileges. On July 8, less than 10 days of receipt of this initial report, we notified all Falcon customers via a Technical Alert (crediting modzero), and we subsequently reported the MSI bug to Microsoft," the statement says.

"We attempted to continue the dialogue with modzero in early July to no avail and did not hear from them over the past 6 plus weeks until yesterday, when they published their blog. In line with industry best practices, we are committed to engaging with the research community in a positive and professional manner that protects customers. Responsible and timely disclosure is an important part of the process of building trust and supporting the security community, which is why CrowdStrike runs an open and transparent bug bounty program with partners such as HackerOne.”

This story was updated on Aug. 23 to add the CrowdStrike statement.